Random stuff that interests, amuses, or vexes Will Murray.

‘Millennials’ buck IT security policies

Today, SearchCIO.com released an article titled ‘Millennials’ buck IT security policies by Linda Tucci, Senior News Writer
Two things. First, DUH! 🙂 Second, what’s the big deal? I’m not a Millennial, though I share a lot of traits with them. I co-own a business and manage its IT security. These changes don’t scare me, and I’ll tell you why…

What information is everyone so scared is going to be divulged? Unless it is customers’ personal, medical, or financial data that has been entrusted to you, it’s probably not really worth keeping secret.

For example:

Business practices. Chances are you’re company is not as different from the competition as you’d like to believe. Further, anyone who has worked for your company and left (willingly or otherwise) has a pretty good understanding of your business, and will share that information with others. Non-disclosure agreements (NDAs) won’t help. Wile millennials are likely to blog about work and spill the beans on what happens there, it’s only a recent variation on the common practice of friends gathering for drinks and swapping stories about their day at the office. In short, the scale and speed at which the information can be spread is greater, but that’s about it.

Proprietary information. I’m talking about the kind of technology that companies patent or hide behind big red rubber stamps that read “SECRET”. Keeping that information a closely protected asset makes sense to shareholders and government oversight committees, it does nothing to help increase and expand the sum of human knowledge and experience. Consider the progress that open source projects like the Apache Web server, Firefox browser, and Linux operating system have made by people working together without a profit motivation. Imagine if, instead of attempting to stymie and halt such progress, Microsoft and SCO had worked with open source developers as many other companies have begun to do (and even Microsoft is now showing up, late, to that party). Data in a vacuum is wasted opportunity. Additionally, it means you are operating with blinders on, since only people whose jobs are on the line are reviewing it. When the world can look at your data, you’re much more likely to find the flaws before they become deeply entrenched within your product.

Customer lists. So now sales people carry out exports of CRM databases instead of carbon copies of typed customer lists… Again, the scope and scale of the data leaving the company has changed, but not the fact that sales people have always tried to keep their old customers with them when they move to a new company. A good sales person will maintain a pretty good list in the old noggin, and not even need to rely upon stolen data. Think about this from a different perspective though. The sales person wants the customer to follow him to the new company because a relationship has already been forged, and it’s far easier to modify an existing relationship than forge a new one from scratch. So why is it that most customers usually remain with the original company, rather than jumping ship to the new one? Because they customer has invested in a relationship with the company, too. From the customer’s standpoint, forging a relationship with a new company is much more of a risk than going through the awkward period of breaking in a new account rep. Unless, of course, the customer is unhappy with the original company’s products or practices, in which case, a change might seem like more of an opportunity than a risk. The point is, that if the company is treating its customers well, it really doesn’t matter if customer lists leave. A good customer of a good company will stay, and the ones who go probably weren’t all that happy in the first place.

Theft of company time and resources by “goofing off” online. The first thing that non-millennials need to understand about millennials is that they process information much faster. Non-millennials grew up in an era where a daily newspaper and a nightly TV news broadcast were the most up-to-date sources of news. Given such a limited space in which to delivery news, the items that made it into the paper were, um, newsworthy. Millennials grew up with a constant bombardment of 20- and 30-second commercials, fast-paced video games, “Short Attention Span Theater” and “Spark Notes” (think of abridged versions of “Cliff’s Notes”). News started flowing much faster and much more frequently with the advent of CNN, Fox News, and then the Internet. The “newsworthy-ness” of much of the “news” dropped, because there was so much space to fill, anything half-way newsworthy was needed to prevent “dead air”. Add to that the need to have top ratings, and news took on a greater amount of entertainment value. This has led millennials to expect, even demand, bite-sized pieces of up-to-the-second breaking news. The Internet and mobile devices give them that information. To many non-millennials, such frequent flow of data is a distraction, or worse, a time-waster. To millennials, it’s like food or money. How can the same thing be viewed in such totally different contexts? Remember that millennials generally process information faster than their non-millennial counterparts. Without a steady flow of information coming in, they end up with distracting “dead air” in their brains. That can be simply mildly annoying, but bearable, to the millennial. To others, it can lead to loss of productivity as they “zone out” during the dead times, or it can lead to anxiety, irritation, frustration, or even lashing out in anger. Non-millennials can imagine how the millennial feels if it was food or money that was being deprived. Since they, generally, can process information faster, millennials can usually accomplish the same amount of work that non-millennials can (much to the nons’ chagrin) while still “goofing off” on the Internet: IM’ing and texting friends, twittering, and catching up on their social networks and favorite athletes’ standings. A millennial will not work faster or more efficiently with such access denied, but resentment will build. In fact, the millennial’s productivity may drop, and his or her idle mind may start hatching plans on interesting ways to circumvent security or retaliate against (in their view) oppressive rules. So, is it theft of company resources? Or is it accommodating workers’ needs, like bathroom breaks, water coolers, and meal periods? All of those non-millennial standbys can be abused, just as Internet and mobile access can be, but that doesn’t make them any less important to the workers.

Increasing exposure of loss by using personal equipment. The first thing to realize is that millennials are probably more security aware than the non-millennials are. Security concerns are so mundane to millennials that they don’t think about it much; instead, they react instinctively. Think about your own experience while learning to drive a car. When it was all new to you, everything you did was a conscious act: hands at 10:00 and 2:00, look in the mirror before changing lanes, cut the wheel when you are at a certain point during parallel parking. When you got things right, it was a big deal! A few years later, you stopped doing that–not the driving, but the conscious act of driving. Soon, you probably realized that entire parts of your daily commute were made without you even being aware of the miles passing; it had all become instinctive. Non-millennials are new to the whole cyber-security thing. It takes sticky notes to remember regular, but infrequent practices like defragmenting hard drives, running spyware scans, etc. Nons also have to check every e-mail title, or even look at the contents, just to be sure that it really is spam or a phishing scam. Nons even open attachments supposedly from people they know, even though the message looks suspicious, because its part of their culture to trust the mail and the people who (supposedly) sent it. Millennials are so used to seeing spam and scams flooding into their mailbox, that purging is nearly autonomous. If they delete a message from a friend (or a co-worker), it’s no big deal. If it was really important, the person will follow-up with an IM, text message, or tweet. In fact, if it was really important, the person should have known to do that in advance so the millennial would be expecting it. Likewise, millennials are immune to most ads (unless it strikes one of their interests), know how to use peer-to-peer file sharing in productive ways and avoid most trojans, and so all sorts of things that confound and boggle the minds of their non-millennial co-workers (and parents). Millennials also have a very disposable mentality. For them, anything older than two years is outdated; meanwhile, their non-millennial counterpart is hoping to squeeze one more year out of his or her five-year old PC by upgrading the RAM. Since millennials process information at such a fast pace, their electronics have to keep up, too. As a result, they think nothing about replacing equipment that shows no sign of wear and was cutting edge technology less than a year ago. If some electronic device is lost or stolen, there’s no feeling of despair–unless they end up with a replacement “as lame” as their old one instead of an upgrade. While a non-millennial dreads the thought of reinstalling software, reloading data, and getting a computer back to “working condition” after a loss, many millennials start over from scratch by choice on a regular basis. Sometimes they do it when they replace their equipment, but other times it is simply to try to squeeze out a little more speed. Besides, they haven’t really lost anything… everything that is important to a millennial is safely stored away at dozens of different websites around the world. Their photo collection is housed at Flickr and maybe a few other sites. Their writings are safe at LiveJournal. Naturally, their financial information is safe and secure at Quicken.com or at their online bank. A computer, a phone, or any other device that connects to the Internet is only a tool to connect to where their information lives. And one device is pretty much as good as any other–as long as it doesn’t slow them down. Even things like nasty viruses, the stuff of non-millennial IT managers’ nightmares, are no big deal–just pop in the recovery disc for the PC or hit the hard-reset on their phones, and they’re back in business again.
So what is a company to do in the face of all this? Do what the millennials do… store your important data online and get it off of the local machines. No, that doesn’t necessarily mean uploading all your company data to Google Docs and Spreadsheets (though many companies are doing just that). The drive toward virtualization is one answer to consider. Instead of handing out high-power PCs to every worker and replacing them every three years, give them a modest PC with a 4-5 year functional lifespan that is capable of connecting to a virtual workspace that lives on your company’s server. Then, open up those firewalls (in a secure way, of course) so that employees can access their virtual workspaces from anywhere. While the IRS tax code and other governmental laws may need to be updated to accept the fact that employees are no longer confined to an 8-hour workday, the fact is that millennials expect, and soon will be demanding, to be able to work as flexibly as they relax. For millennial employees who are responsible for meeting quotas of some sort (as opposed to the ones whose physical presence is required at regular periods in order to interact with customers or vendors), does it really matter if they work 3 hours before noon, take an afternoon nap at home, work another 2 hours, shuttle the kids to and from soccer and gymnastics, and then work another 5 hours into the night because they want to leave for an early weekend the next day? As long as the work is getting done and it is of acceptable quality, what difference does it make as to when or where the employees do it? A millennial would generally feel that it makes no difference at all. A non-millennial would disagree, and if he or she is a supervisor, it’s probably a vehement disagreement.

We are at a turning point that scares monolithic big businesses used to entrenching all their data behind veils of secrecy, patents, and non-disclosures. Things are changing, and as usual, people who are not part of the change are freaked out by change. But being a non-millennial business owner who has been fighting the good fight for freeing information (e.g., open source, elimination of DRM, etc.), for nearly 20 years, I see this as a good trend, not a scary one.

I can easily see a virtualized business landscape, in which even the dreaded weekly meetings become virtualized. That is, if there is even a need for them, since co-workers can IM, text, or Twitter updates in real-time to everyone who is involved. While there will still be a place for long-running ad campaigns, a new breed of quickly changing, rapidly adapting, new technology embracing ad campaigns will need to arise to help find a way into the rapidly decreasing “dead air”. Office buildings can be scaled down as more things become virtualized.

Finally, the promise of telecommuting may become a reality. Is it because of cost-savings or a desire to accommodate employees’ needs? No. It’s because millennials are going to continue bucking non-millennial norms, IT security policies just being the tip of the iceberg, until the World Wide Web becomes the World Wide Office, the World Wide Entertainment Zone, and even the World Wide World. As long as we don’t take it so far that we plug ourselves into that World Wide World and become “Coppertops” to a bunch of caretaker machines (ala The Matrix). As with anything, it’s easy to go to extremes. But it’s worth exploring the boundaries a bit.